Comments on: ACF 6.2.5 Security Release

By: Masoud Rasouli

Masoud Rasouli — Wed, 27 Nov 2024 08:19:33 +0000

I've created two fields named 'review-video' and 'product-unboxing-video' using a WYSIWYG editor.

I'm inserting the following or similar script code into these fields:

<div id="74349861627"><script type="text/JavaScript" src="https://www.aparat.com/embed/vdblggf?data[rnddiv]=74349861627&data[responsive]=yes"></script></div> However, these codes aren't executing. How can I fix this issue?

By: nitmar nitmar

nitmar nitmar — Sat, 19 Oct 2024 19:42:35 +0000

pelase fix this:

By: nitmar nitmar

nitmar nitmar — Sat, 19 Oct 2024 19:41:08 +0000

please help me and fix this:

</h1><h2 style="display: none;">(<?php the_field('partistname',$term) ?>)</h2>

By: Konstantin Konovalov

Konstantin Konovalov — Mon, 30 Sep 2024 14:27:46 +0000

Such an amazing plugin and so awful decision to apply this site-breaking feature enabled by default :( I used get_field for iframe (mostly, embedded youtube) A LOT on DIFFERENT sites which even now may still be broken because of this security fix =|

By: Nicolas Rosso

Nicolas Rosso — Thu, 08 Aug 2024 20:51:57 +0000

<?php $obras_asociadas = get_field('obras_asociadas', $ejemplar_id); var_dump($obras_asociadas); $obra_anterior = get_obra_anterior($obras_asociadas, $obra_id); if ($obra_anterior) { echo '<a href="' . get_permalink($obra_anterior["obra_asociada"][0]->ID) . '" class="obra-link">Obra Anterior</a>'; } ?> in that code the change that i have to do is only adding an echo before get_field?

By: Mojito

Mojito — Mon, 01 Jul 2024 15:25:55 +0000

In reply to Liam.

Specifically, we will escape the WYSIWYG field BEFORE oembed's are processed, so if your WYSIWYG field literally contains a youtube URL for example, this will still be turned into an iframe for the YouTube video correctly.

In our testing it comes through as much more complicated.

Setup:

WordPress 6.5.4, ACF Pro 6.3.3
The field is 'content' and is a WYSIWYG field nested within a Layout as part of a Flexible Content Field.

The content is like:


Overview of what's in the video. See video here:

https://www.youtube.com/watch?v=Z8ykNnIK1Ik



Database:
We confirmed that the DB has the plain text version stored as-is

Code:
- `echo get_sub_field('content', false, false);` returns the same plain-text version
- `echo get_sub_field('content');` does indeed return the proper iframe so it can be displayed on-page BUT THIS IS THE EXACT SAME SECURITY HOLE as the editor can now add iframes that are displayed on-page.
- `echo acf_esc_html(get_sub_field('content'));` (which is what you suggest we should be doing for proper security) strips the YouTube video altogether (since it populates then strips the iframe)

Ideally editors should be able to add plain-text URLs through oEmbed which will then be safely hydrated and displayed while being unable to attack the site through malicious submissions.

If other users disagree, please add your thoughts but here's what we see:

Scenario 1: User does everything properly in a WYSIWYG, embeds videos and images, and adds text.
Scenario 1 outcome: The content is displayed as it shows in WP-Admin (adding whatever CSS is part of the theme)

Scenario 2: Along with the same content from scenario 1, User tries to do something malicious and successfully commits a bad iframe to the DB.
Scenario 2 outcome: The bad output is stripped and the rest of the content displays as intended. (bonus: hopefully we get an admin warning about this)

By: Infosiniestro Info

Infosiniestro Info — Fri, 28 Jun 2024 08:58:47 +0000

Hello, I'm desperate. I have a field in which I include the YouTube code in the posts I publish. Detects it as unsafe HTML. My problem is that I don't know where I have to put the codes that you provide so that the unsafe HTML will be accepted. I have tried putting it before the YouTube script and it doesn't work. I also don't know if I'm putting the correct code. Please help!!!

By: John Mounsey

John Mounsey — Thu, 09 May 2024 11:33:01 +0000

Pretty sure I "get" this (i.e. understand it!). I DO use the [acf field] side of things but it only ever outputs either plain text (e.g. the name of a movie director) OR URL string (e.g. https://imdb.com) - that's it.

So nothing has broken.. and all is well / safe(?) - BUT I get the reminder/warning message each and every time. Is that because I need to take more action - or if not, can it be disabled somehow? No plans to use this field any more extensively than now..

By: WoodyP

WoodyP — Sat, 20 Apr 2024 07:35:52 +0000

Hello Liam, thanks for the explanation, I have some doubts about how to modify my code, what should I write now instead of get_field? These are the codes I'm using. Thank you!

— $post = get_post(get_the_id()); $author_id = $post->post_author; if( !empty(getfield('test','user'.$author_id)) ){ $nametest = getfield('test','user'.$author_id); $authorurl = get_author_posts_url($author_id); echo ''.$authorurl.''.$nametest.''; } — — $post = get_post(get_the_id()); $trad_ext = get_field('namedemo',$post); if( !empty($trad_ext) ){ if($trad_ext=='en'){ $postobj = get_field('namedemo_en',$post); echo '<div class="namedemo_art"><a class="en" href="'.get_permalink($postobj).'">Read in English</a></div>'; } if($trad_ext=='it'){ $postobj = get_field('namedemo_it',$post); echo '<div class="namedemo_art"><a class="it" href="'.get_permalink($postobj).'">Read</a></div>'; } } —

By: holdusback

holdusback — Thu, 18 Apr 2024 07:20:07 +0000

Hey there,

I have this special message using a shortcode on an URL field, rendering via a shortcode on a custom post type page.

I dont rly get how I fix this ? It dont have any iframe, script or stuff like that, its just a normal https URL.

Hope you can help !